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An Ascending Scale of Badness 
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Port Scan for known exploits 

Spew spam 

Mount a fake web site attack 

Enlist a bot army and mount multi-gigabit DOS attacks 

Mount a routing attack 





If I were bad 
(and greedy )~ 







If I were bad 
(and greedy )~ 



• Through routing I'd attack the DNS 

• Through the DNS I'd lure traffic through an 
interceptor web server 

• And be able to quietly collect users' details 
quietly, selectively and (if I am careful) 
undetectably 




If I were really "bad 
(and evil)~ 







If I were really "bad 
(and evil)~ 

• Through routing l' d attack: 

- the route registry server system 

- the DNS root system 

- trust anchors for TLS and browser certificates 

- isolate critical public servers and resources 

- overwhelm the routing system with spurious information 
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Some recent cases 



208.65.153.0/24 originated by AS17557 

Advertisement of a more specific route by Pakistan Telecom 
that managed to take YouTube off the air in February 2008 

61.0.0.0/8 originated by AS4678 

Advertisement of a more general route by a spammer in 
order to conceal their identity by using an anonymous source 
ip address, occurring intermittently 2004 - 2007 

d000::/8 originated by AS28716 

Advertisement of a massive bogon more general route in IPV6 
from 13 Nov 2009 until 15 Jan 2010 - and noone noticed for 2 
months! 



How many advertisements in 
today's BGP are "lies"? 



www. cidr-report . org 
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getting the point yet? 
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What' s the base problem 

here? 



Addresses and Routing are insecure 

• Routing is built on sloppy mutual trust models 

• Routing auditing is a low value activity that noone 
performs with any level of thoroughness 

• We have grown used to lousy solutions and 
institutionalized lying in the routing system 

• And because instances of abuse are supposedly relatively 
infrequent we are prepared to tolerate the risk of having 
a completely insecure routing system 



What' s the base problem 

here? 






Routing Security is a 
shared problem 
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- Nobody can single-handedly apply rigorous tests on the routing 
system 

- And the lowest common denominator approach is to apply no 
integrity tests at all 

- It's all trust and absolutely no defence 



Routing Security 

1. Protecting routing protocols and their operation 

- Threat model: 

• Disrupt the operation of the routing protocol by a "man-in-the-middle" 
attack 

• Compromise the topology discovery / reachability operation of the 
routing protocol by injection of false routing information 

- Response: 

• Current operational best practice uses TCP-MD5 and avoids eBGP- 
multihop 

MITM Inject: 101.1.1.0/24 (1,2,3) 



10.0.0.0/8 (1,2,3) 



Routing Integrity 

2. Protecting the routing protocol payload 

- Threat model: 

• Compromised router or compromised Routing Entity (AS) 

• Insert corrupted address information into your network's routing tables 

• Insert corrupt reachability information into your network's forwarding 
tables 

• Allow the routing protocol to disseminate the corrupted information 
across the entire internet 

AS 666 

Routing attack on _— 

10.0.1.0/24 I . 10.0.1.0/24 (1,666) NO EXPORT 

AS 4 




10.0.0.0/8 (1,2,3) 10.0.0.0/16 (1,2,3,4) 



Threats 



Corrupting the routers' forwarding tables can result in: 

- Misdirecting traffic (subversion, denial of service, third party inspection, 
passing off) 

- Dropping traffic (denial of service) 

- Adding false addresses into the routing system (anon attacks) 

- Isolating or removing the router from the network 



AS 666 
Routing attack on 
10.0.1.0/24 |_ Traffic to 10.0.1.0/24 

AS 4 




Traffic to 1 0.0.0.0/8 Traffic to 1 0.0.0.0/8 
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A (random) BGP Update 

2010/01/26 00:03:35 rcvd UPDATE w/ attr: 

nexthop 203.119.76.3, origin i, path 4608 1221 4637 3561 
3356 4657 4773 

124.197.64.0/19 



Routing Security 

The basic routing payload security questions that need to 
be answered are: 

- Who injected this address prefix into the network? 

- Did they have the necessary credentials to inject this 
address prefix? Is this a valid address prefix? 

- Is the forwarding path to reach this address prefix 
trustable? 

And can these questions be answered by any BGP 
speaker quickly and cheaply? 



BGP Update Validation 

2010/01/26 00:03:35 rcvd UPDATE w/ attr: 

nexthop 203.119.76.3, origin i, path 4608 1221 4637 3561 
3356 4657 4773 

124.197.64.0/19 



i 



is 124.197.64.0/19 a "valid" prefix? 



BGP Update Validation 

2010/01/26 00:03:35 rcvd UPDATE w/ attr: 

nexthop 203.119.76.3, origin i, path 4608 1221 4637 3561 
3356 4657 4773 

124.197.64.0/19 

.64.0/19 a "valid" prefix? 
isAS4773a"valid"ASN? 



BGP Update Validation 

2010/01/26 00:03:35 rcvd UPDATE w/ attr: 

nexthop 203.119.76.3, origin i, path 4608 1221 4637 3561 
3356 4657 4773 

124.197.64.0/1! 



is 124.197.64.0/19 a "valid" prefix? 

is AS4773 a "valid" ASN? 

Is 4773 an "authorized AS to advertise a route to this prefix? 



BGP Update Validation 

2010/01/26 00:03:35 rcvd UPDATE w/ attr: 

nexthop 203.119.76.3, origin i, path 4608 1221 4637 3561 
3356 4657 4773 

124.197.fr 





.64.0/19 aAalid" prefix? 
isAS4773a"validK'ASN? 
Is 4773 an "aj/morized AS to advertise a route to this prefix? 

Is the AS Path valid? 

- Is AS 4657 a valid AS, and did AS 4773 advertise this route to AS 4657? 

- Is AS 3356 a valid AS, and did AS 4657 advertise this route to AS 3356? 

- etc 



A Foundation for Routing 

Security 



The use of authenticatable attestations to allow automated 
validation of: 

- the authenticity of the route object being advertised 

- authenticity of the origin AS 

- the binding of the origin AS to the route object 

Such attestations used to provide a cost effective method of 
validating routing requests 

- as compared to the today's state of the art based on techniques of 
vague trust and random whois data mining 



A Foundation for Routing 

Security 



Adoption of some basic security functions into the 
Internet's routing domain: 

• Injection of reliable trustable data 

A Resource PKI as the base of validation of network data 

• Explicit verifiable mechanisms for integrity of data distribution 

Adoption of some form of certified authorization mechanism to 
support validation of credentials associated with address and 
routing information 



A Starting Point 

• How can you certify who what which address? 

- follow the allocation trail 

- Certification of the "Right-of-Use" of IP Addresses and AS numbers as 
a linked attribute of the Internet' s number resource allocation and 
distribution framework 

For example: 



APNIC (the "Issuer") certifies that: 
the certificate's "Subject" 

whose public key is contained in the certificate 

is the current holder of a set of IP address and AS resources 

that are listed in the certificate extension 



APNIC does NOT certify the identity of the subject, nor their good (or evil) intentions! 



Resource Certificates 



Resource 
Allocation 
Hierarchy 



IANA 



AFRINIC 



RIPE NCC 



ARIN 



APNIC 



LACNIC 






Resource Certificates 
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AFRINIC RIPE NCC 


ARIN APNIC LACNIC 
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AFRINIP. RIPF MCC 


ARIN APNIC LACNIC 




Issuer: APNIC 
Subject: NIR2 
Resources: 192.2.0.0/16 
Key Info: <nir2-key-pub> 
Signed: <apnic-key-priv> 


/ 

Issued Certificates 


JiK1 NIR2 
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ISP 


ISP ISP ISP4 ISP ISP ISP 









Resource Certificates 



Resource 
Allocation 
Hierarchy 



AFRIMIP. RIPF MP.P. 



.0/11 



Issuer: APNIC 
Subject: NIR2 
Resources: 192.2.0.( 
Key Info: <nir2-key-pub> 
Siniwl- <annir-kp\/-nri\/: 

Issuer: NIR2 * — " 
Subject: ISP4 
Resources: 192.2.200.0/24 
Key Info: <isp4-key-pub> 
Signed: <nir2-key-priv> 



Issued Certificates 




ISP4 ISP ISP ISP 



Resource Certificates 



Resource 
Allocation 
Hierarchy 



AFRIMIP. 



Issuer: APNIC 
Subject: NIR2 
Resources: 192 
Key Info: <nir2- 

SinnfiH- <annir. 



Issued Certificates 



Issuer: NIR2 
Subject: ISP4 
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Issuer: ISP4 
Subject: ISP4-EE 
Resources: 192.2.200.0/24 
Key Info: <isp4-ee-key> x* 
Signed: <isp4-key-priv> 
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What could you. do with 
Resource Certificates? 



• You could sign "routing authorities" with your private key, 
providing an authority for an AS to originate a route for the named 
prefix. Any Relying Party could validate this authority in the RPKI 

• You could use the private key to sign routing information in an 
Internet Route Registry 

• You could attach a digital signature to a protocol element in a 
routing protocol 

• You could issue signed derivative certificates for any sub- 
allocations of resources 



Signed Objects 



Resource 
Allocation 
Hierarchy 



AFRINIC RIPE NCC ARIN 



Route Origination Authority 
"ISP4 permits AS65000 to 
originate a route for the prefix 
192.2.200.0/24" 

Attachment: <isp4-ee-cert> 

1^4.' 4- 
Signed, 

ISP4 <isp4-ee-key-priv> < *>^ 




LACNIC 



Issued Certificates 



ISP ISP4 ISP ISP ISP 




Signed Object Validation 



Resource 
Allocation 
Hierarchy 









Issued Certificates 



Route Origination Authority 
"ISP4 permits AS65000 to 
originate a route for the prefix 
192.2.200.0/24" __ 

Attachment: <isp4-ee-c 




Signed, 
ISP4 <isp4-ee-key-priv> <e ^> 
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1 . Did the matching private key sign 
this text? 



Signed Object Validation 



Resource 
Allocation 
Hierarchy 









Issued Certificates 



Route Origination Authority 
"ISP4 permits AS65000 to 
originate a route for the prefix 
192.2.200.0/24" 



Attachment: <isp4-ee-cert> 



Signed, 




ISP4 <isp4-ee-key-priv> *^ 2 . Is this certificate valid? 



Signed Object Validation 



Resource 
Allocation 
Hierarchy 



I AN A Trust Anchor 









Issued Certificates 



Route Origination Authority 
"ISP4 permits AS65000 to 
originate a route for the prefix 
192.2.200.0/24" 



Attachment: 



Signed, 



:isp4-ee-cert> 

— ^ 




im 



ISP4 <isc-4-ee-k< ^ - ' s tnere a ya ^ certificate path from a Trust Anchor 
to this certificate? 



Signed Object Validation 



Resource 
Allocation 
Hierarchy 









Route Origination Authority 
"ISP4 permits AS65000 to 
originate a route for the prefix 
192.2.200.0/24" __ 



Attachment: <isp4-ee-cert> 

Signed, 
ISP4 <isp4-ee-key-priv> *■»> 



Validation Outcomes 

1 . ISP4 authorized this Authority 
document 

2. 192.2.200.0/24 is a valid address, 
derived from an APNIC allocation 

3. ISP4 holds a current right-of-use of 
192.2 200.0/24 

4. A route object, where AS65000 
originates an advertisement for the 
address prefix 192.2.200.0/24, has 
the explicit authority of ISP4, who is 
the current holder of this address 
prefix 



A (partial) architecture 

for securing BGP 

origination 



Local 

RPKI 

processor 
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BGP 
BGP Filter Router 
(Origin AS + 
prefix mask) 



Synchronization 



Distributed RPKI Publication Repositories 
(Certificates and Routing Authorities) 



ROA-basea Filtering 



If a ROA exists for (10.0.1.0.24, AS 3) then the AS666 
attack is detectable and preventable at AS 4 



ROA: 

Permit AS3 to originate 10.0.1.0/24 



Routing attack on 
10.0.1.0/24 



ROA Filter Actions 

10.0.1.0/24, AS 3 OK 
10.0.0.1/24 AS 666 INVALID 



AS 666 



10.0.1.0 



AS 3 

10.0.0.0/8 (1,2,3) 



24 (1,666) NO EXPORT 
AS 4 




10.0.0.0/16 (1,2,3,4) 



What about AS Path 
Validation? 



Securing the AS PATH 

We need two additional components: 

- An RPKI router certificate (AS and BGP router ID) 

- a new BGP attribute 

- Each eBGP Router "forward signs" the AS Path with its 
private key 

- Each validating routing can validate the chain of signatures 
against the AS Path to match the path to the sig chain 

AS2 



AS3 




Securing the AS PATH 



We need two additional components: 

- An RPKI router certificate (AS and BGP router ID) 

- a new BGP attribute 



10.0.1.0/24, AS Path: 1 
10.0.1.0/24, AS1,AS2, Keyl 
Signed: Router AS1 



P 



10.0.1.0/24, AS Path: 2,1 
10.0.1.0/24, AS1, AS2, Keyl 
Signed: Router AS1 
AS2, AS3, Key2 
Signed: Router AS2 




E^ 



AS3 



Securing the AS Path 



Each router to sign across the triplet of: the 
signature of what was received, its own AS and the 
next hop AS 

BGPsec routers are required to unchain the signature 
set and match it to the AS Path in the update, using 
the local RPKI cache to validate the router signatures 



Signing the AS Path 

• The AS Path represents the inter-AS propagation 
path of the route from the origin to the BGP speaker 

• Attempts to manipulate the AS Path by adding or 
removing AS's will invalidate this signature chain 
attribute of the update 

• "validation" of an update allows the receiver to 
assure themselves that each AS propagated the 
route in the order shown in the AS Path 



Securing the AS Path 

BUT: 
It adds size and weight to the operation of BGP 
It's slow and cumbersome 
It cannot be deployed incrementally piecewise 
Partial deployment has limited benefits 
It's brittle 
It's not clear that gain > pain! 



Concerns 



The major issue here is that of partial use and deployment 

- This security mechanism has to cope with partial deployment in 
the routing system 

• The basic conventional approach of "what is not certified and proved as good 
must be bad" will not work in a partial deployment scenario 

- In BGP we need to think about both origination and the AS Path 
of a route object 

• AS path validation is challenging indeed in an environment of piecemeal use of 
secure credentials, as the mechanism cannot tunnel from one BGPsec "island" to 
the next "island" 

- A partially secured environment may incur a combination of 
high cost with marginal net benefit to those deploying BGPsec 



Concerns 



Is a trust hierarchy the best approach to use? 

- The concern here is concentration of vulnerability 

• If validation of routing information is dependent on the availability 
and validity of a single root trust anchor then what happens when 
this single digital artifact is attacked? 

- But can you successfully incorporate robust diversity of 
authentication of security credentials into a supposedly 
highly resilient secure trust framework? 

• This is very challenging! 



Concerns 



Is this the only way to achieve generally useful outcomes in 
securing routing? 

- Is this form of augmentation to BGP to enforce "protocol payload 
correctness" over-engineered, and does it rely on impractical models 
of universal adoption? 

- Can various forms of routing anomaly detectors adequately detect the 
most prevalent forms of typos and deliberate lies in routing with a far 
lower overhead, and allow for unilateral detection of routing 
anomalies? 

- Or are such anomaly detectors yet another instance of "cheap security 
pantomime" that offer a thinly veiled placebo of apparent security 
that is easily circumvented or fooled by determined attack? 



Good, Past, or Cheap? 
> 
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Thank You 
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